Reserve ephemeral ports that are expected by system services

Update sysctl.conf to reserve keystone and tiller ports so that any initial system processes do not claim these ports. These are also reserved in puppet and part of initial system provisioning. Change-Id: I3bae661348718df00f7b50ba15931281a744d473 Closes-Bug: #1869011 Related-Bug: #1851533 Signed-off-by: Robert Church <robert.church@windriver.com>
2020-03-25 17:19:57 -04:00 · 2020-03-25 17:19:57 -04:00 · de8d65efdf
parent b95127d680
commit de8d65efdf
1 changed files with 11 additions and 0 deletions
--- a/initscripts-config/files/sysctl.conf
+++ b/initscripts-config/files/sysctl.conf
@ -86,3 +86,14 @@ net.ipv4.tcp_keepalive_time = 5
 # Reduce this delay to 8 shortens this to ~100 seconds.
 net.ipv4.tcp_retries2 = 8

+# Reserve ports in the ephemeral port range:
+#
+# Incorporate the reserved keystone port (35357) from
+# /usr/lib/sysctl.d/openstack-keystone.conf
+#
+# Helm v2.13.1 hardcodes the following Tiller ports when installed in the
+# k8s cluster: 44134 (server), 44135 (probe), 44136 (trace). Reserve them
+# from the ephemeral port range. This will avoid potential port conflicts
+# that will cause the tiller pod to crash when the port is assigned to
+# another client/server
+net.ipv4.ip_local_reserved_ports=35357,44134-44136